Key Takeaways
- Reviewing IT partners’ patching policies and remediation timelines is crucial to prevent cyberattacks that exploit known vulnerabilities.
- Ensuring sufficient cyber insurance coverage for the impact of a multi-customer incident is essential.
- Testing IT providers’ processes, including penetration testing and security monitoring, is vital to identify potential risks.
- Ongoing diligence and oversight are necessary to ensure that security controls and procedures remain appropriate as systems evolve.
- Cyber due diligence should be a dedicated and optimized process, rather than a collateral duty.
Introduction to Vulnerability Management
Identifying, prioritizing, and remediating vulnerabilities is a critical aspect of cybersecurity. A review of an IT partner’s patching policies and remediation timelines should never be overlooked, as many cyberattacks exploit known vulnerabilities. According to Perez-Etchegoyen, slow patch cycles can lead to supply chain disruptions, business operational issues, and even bankruptcy in some cases. Therefore, it is essential to emphasize Service Level Agreements (SLAs) related to critical patches and proof that fixes are validated. This can be achieved by regularly reviewing and updating patching policies, as well as conducting regular security audits to identify potential vulnerabilities.
The Importance of Cyber Insurance
Carrying enough cyber insurance to cover the impact of a multi-customer incident is also crucial. As SANS Institute’s Wright notes, attackers have lots of motive to target SaaS providers, as the access obtained when a SaaS provider is compromised is significant, with lots of subsequent opportunity for ransomware, extortion, and direct harassment attacks against customers. Ventrone recommends that clients confirm their provider’s policy covers not only themselves but the full impact of a multi-customer incident. This can be achieved by reviewing the provider’s insurance policy and ensuring that it includes coverage for multi-customer incidents, as well as conducting regular risk assessments to identify potential vulnerabilities.
Testing IT Providers’ Processes
Attestations regarding cybersecurity testing and monitoring, such as regular penetration testing, 24/7/365 security monitoring, and threat hunting, are essential. However, Alford recommends going a step further by testing IT providers’ processes in practice, rather than just relying on questionnaire-based reviews. This can be achieved by conducting regular penetration testing, vulnerability assessments, and security audits to identify potential risks. For example, a company can conduct a penetration test to identify vulnerabilities in their IT provider’s systems, and then work with the provider to remediate those vulnerabilities. By doing so, clients can verify that their IT providers have strong verification steps in place and that their processes work as intended.
The Need for Ongoing Diligence
Ongoing diligence and oversight are necessary to ensure that security controls and procedures remain appropriate as systems evolve. Ventrone notes that recent incidents underscore that many organizations are not adequately managing third-party risk over the full lifecycle of their IT provider relationships. Too often, due diligence is treated as a one-time exercise, with insufficient ongoing oversight to ensure that security controls and procedures remain appropriate as systems evolve. For instance, a company can establish a regular review process to ensure that their IT providers’ security controls and procedures are up-to-date and effective. This can include regular security audits, risk assessments, and penetration testing to identify potential vulnerabilities and ensure that the IT provider is taking adequate steps to remediate them.
The Risks of Insufficient Cyber Due Diligence
Cyber due diligence often falls through the cracks, with many client organizations still falling short in managing third-party risk. According to Corcoran, this is often because cyber due diligence is treated as a collateral duty, split between procurement and general risk functions rather than a dedicated, optimized process. As a result, business stakeholders remain unsatisfied, and critical risks go unmitigated, even as attackers increasingly exploit weaker links in the supply chain. For example, a company can establish a dedicated cybersecurity team to oversee cyber due diligence and ensure that IT providers are held to high security standards. By doing so, companies can reduce the risk of cyberattacks and ensure that their IT providers are taking adequate steps to protect their systems and data.
The Increasing Importance of Cybersecurity
Partners in the IT ecosystem are being seen by cybercriminals as weaker links, making it increasingly important to ensure that cybersecurity is a top priority. By reviewing IT partners’ patching policies and remediation timelines, carrying enough cyber insurance, testing IT providers’ processes, and conducting ongoing diligence and oversight, companies can reduce the risk of cyberattacks and protect their systems and data. Additionally, companies should prioritize cybersecurity and make it a dedicated and optimized process, rather than a collateral duty. This can be achieved by establishing a dedicated cybersecurity team, conducting regular security audits and risk assessments, and ensuring that IT providers are held to high security standards. By taking these steps, companies can reduce the risk of cyberattacks and ensure that their IT providers are taking adequate steps to protect their systems and data. Furthermore, companies should also consider implementing a incident response plan, which outlines the steps to be taken in case of a cyberattack, and conduct regular training and awareness programs for employees to educate them on cybersecurity best practices.
